Enabling users to run applications with alternate accounts

Alternate accounts are typically a privileged or administrator account in Active Directory that's associated with an owner account. You can log in to the alternate account using your main account.

For example, system administrators typically have several accounts, a user account for general log-ins and an administrative account to access specific systems and services.

Here are the things you need to do in order to enable the ability to run with alternate accounts:

  1. Set up alternate accounts for users in Privileged Access Service
  2. Install a cloud connector in your domain and the Web Server (IWA) service is enabled.
  3. Enable the policy entitled "Enable run with alternate account."
  4. (Optional but recommended) Configure the following policies to set up a grace period after which time users running applications with alternate accounts must re-authenticate:

    • "Require re-authentication to run application with alternate account"
    • "Configure Windows authentication grace period for run with alternate account"
  5. Install the Centrify Agent for Windows and enable the Centrify Identity Platform service on each computer where you want users to be able to run with alternate accounts.

If you don't enable the run with alternate account feature, your users can still run applications with these alternate accounts by logging in to Privileged Access Service and checking out the password.